OpenSSH Remote Challenge Vulnerability

Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at remotely-exploitable
vulnerabilities in OpenSSH and Apache; a denial-of-service attack
against BIND 9; buffer overflows in libc, tcpdump, and some RADIUS
daemons; and problems in dnstools, XChat, UnixWare and Open UNIX's
ppptalk, and IRIX's pmpost.

OpenSSH, a free version of SSH (Secure Shell), is vulnerable to a
buffer overflow attack in the challenge response code, which can be used
by a remote attacker to gain root access to a server. In addition,
OpenSSH versions 2.9.9 through 3.3 are vulnerable to an integer
overflow that also can be used to gain root access, versions 2.3.1
through 3.3 are vulnerable to a problem in PAMAuthenticationViaKbdInt,
and versions between 2.9.9 and 3.3 have a bug in
ChallengeResponseAuthentication. Distributions known to be vulnerable
include OpenBSD 3.0, OpenBSD 3.1, FreeBSD-Current, and any system
using OpenSSH version 3.0 through 3.2.3. Only OpenSSH versions
compiled with the SKEY or BSD_AUTH are vulnerable to the challenge-response vulnerability.

It is recommended that users of OpenSSH upgrade to version 3.4 or
newer as soon as possible and that UsePrivilegeSeparation be
configured.

There is a remotely exploitable vulnerability in the Apache Web server that can be used to execute arbitrary code on the server with the permissions of the user account running Apache. It has been reported that all versions of Apache before 1.3.26 and 2.0.37 are vulnerable. Exploit programs have been released that automate the exploitation of this vulnerability under OpenBSD, FreeBSD, and NetBSD. It is very likely that other exploit scripts or applications have been or will be released for other operating systems.

Users should upgrade to a repaired version of the Apache Web server. It has been reported that the repaired versions are 2.0.39 and 1.3.26. Update packages have been announced for Red Hat Linux,
Mandrake Linux, Slackware Linux, OpenLinux, IBM Linux Affinity,
OpenPKG, Unisphere Networks SDX-300 Service Deployment System, and
EnGarde Secure Linux.

BIND 9 is vulnerable to a denial-of-service attack that, when exploited, will cause the BIND daemon to shut down. The denial-of-service attack is conducted by sending a carefully-crafted DNS packet that causes a function to call abort() and shut down the BIND daemon. The attacker cannot cause code to be executed, nor any files to be written, by exploiting this problem. BIND versions 4 and 8 are not reported to be
vulnerable.

Affected users should upgrade to BIND 9.2.1 or watch their vendor for an update. Packages containing a repaired version of BIND have been announced for SuSE Linux, Conective Linux, OpenUnix, and Red Hat Linux.

A buffer overflow in the DNS resolver code of libc has been reported. This buffer overflow may be exploitable by an attacker that controls a DNS server to send a reply that will overflow the library function
(the example given in the report was the function gethostbyname) on
the local machine, and allow the attacker to execute arbitrary code.

It is reported that libc in the CVS repositories for FreeBSD, NetBSD,
and OpenBSD have been fixed.

Several RADIUS servers, including radiusd-cistron, freeradius,
livingston-radius, and radiusclient, are vulnerable to a buffer overflow in the code that deals with digest calculations. This buffer
overflow can be used by a remote attacker to execute arbitrary code on the server using the permissions of the user running the RADIUS
daemon.

It is recommended that users upgrade their affected RADIUS daemon to a repaired version. The buffer overflow is reported to be fixed in version 1.6.5 of radiusd-cistron and version 0.3.2 of radiusclient.

dnstools is a Web-based DNS configuration and administration tool. It has a flaw that can be used by an attacker to access pages with administrative privileges, allowing the attacker to modify the DNS records on the server.

The XChat Internet Relay Chat (IRC) client is vulnerable to a remote attack that can be used to execute arbitrary commands on the client with the permissions of the user running XChat. The attacker must control an IRC server that the client connects to, and cause it to send a malicious response back to the client during a /dns command, in order to exploit this vulnerability.

Users should upgrade XChat to version 1.8.9 or newer as soon as
possible.

pmpost, part of the Performance Co-Pilot, has a bug that can be used by a local attacker to append data to system files, possibly leading to a root compromise. The Performance Co-Pilot package is not installed by default on IRIX 6.5 systems.

Affected users should contact SGI for updated packages. Users who
choose to not upgrade the Performance Co-Pilot package should remove the set user id bit from /usr/pcp/bin/pmpost. SGI states that removing the set user id bit will cause non-root processes to not be able to append to /var/adm/pcplog/NOTICES.